[1114] in cryptography@c2.net mail archive
Re: cracking n-DES?
daemon@ATHENA.MIT.EDU (David Wagner)
Sat Jun 28 12:14:17 1997
From: David Wagner <daw@cs.berkeley.edu>
To: perry@piermont.com
Date: Sat, 28 Jun 1997 01:21:59 -0700 (PDT)
Cc: cryptography@c2.net
In article <199706280618.CAA06654@jekyll.piermont.com> you write:
>
> I have to study
> Dave's attack more, [...]
>
Here's the cliff notes:
You exploit a lack of diffusion. You put in a one-byte difference
in the plaintext (say). Each ECB-DES layer can only increase the
number of bytes that differ by a factor of 8 (and then the trans
re-shuffles them around). After two des|trans passes, you've only
got 8^2 = 64 bytes differing, out of a total of 8192 bytes per "trans
permutation block" -- that's very minimal avalanche.
Now you just guess the last DES key, peel off the last layer, and
check whether the result has the reduced-avalanche pattern that you
expect to see after 2 passes.
